#!/bin/sh ################################################################# # # # Example Script from # # Linux Firewalls, Third Edition # # Steve Suehring, Robert Ziegler # # # # This script should not be used. # # # # # # THERE IS NO WARRANTY FOR THIS SCRIPT, TO THE EXTENT PERMITTED # # BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING # # THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE # # SCRIPT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED # # OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED # # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # # PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE # # OF THE SCRIPT IS WITH YOU. SHOULD THE SCRIPT PROVE # # DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, # # REPAIR OR CORRECTION. # # # # IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN # # WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY # # MODIFY AND/OR REDISTRIBUTE THE SCRIPT, BE # # LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, # # INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR # # INABILITY TO USE THE SCRIPT (INCLUDING BUT NOT LIMITED TO # # LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES # # SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE SCRIPT # # TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR # # OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH # # DAMAGES. # ################################################################# /sbin/modprobe ip_conntrack_ftp CONNECTION_TRACKING="1" ACCEPT_AUTH="0" DHCP_SERVER="1" IPT="/sbin/iptables" # Location of iptables on your system DMZ_INTERFACE="eth0" # network interface to the DMZ LAN_INTERFACE="eth1" # network interface to the LAN LOOPBACK_INTERFACE="lo" # however your system names it DMZ_IPADDR="192.168.1.126" # DMZ IP address GATEWAY_IPADDR="192.168.1.65" # gateway firewall - the router DMZ_ADDRESSES="192.168.1.64/26" # DMZ IP address range DMZ_NETWORK="192.168.1.64" # DMZ subnet base address DMZ_BROADCAST="192.168.1.127" # DMZ broadcast address LAN_IPADDR="192.168.1.129" # LAN IP address LAN_ADDRESSES="192.168.1.128/26" # LAN IP address range LAN_NETWORK="192.168.1.128" # DMZ subnet base address LAN_BROADCAST="192.168.1.191" # DMZ broadcast address LAN_NETMASK="255.255.255.192" NAMESERVER="192.168.1.10" # address of a remote name server POP_SERVER="192.168.1.10" # address of a remote pop server MAIL_SERVER="192.168.1.10" # address of a remote mail gateway NEWS_SERVER="192.168.1.10" # address of a remote news server TIME_SERVER="192.168.1.10" # address of a remote time server DHCP_SERVER="192.168.1.10" # address of your ISP dhcp server SSH_CLIENT="192.168.1.0/24" PRINTER_ADDRESS="192.168.1.10" LOOPBACK="127.0.0.0/8" # reserved loopback address range CLASS_A="10.0.0.0/8" # Class A private networks CLASS_B="172.16.0.0/12" # Class B private networks CLASS_C="192.168.0.0/16" # Class C private networks CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addresses CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addresses BROADCAST_SRC="0.0.0.0" # broadcast source address BROADCAST_DEST="255.255.255.255" # broadcast destination address PRIVPORTS="0:1023" # well-known, privileged port range UNPRIVPORTS="1024:65535" # unprivileged port range ############################################################### # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done # Don.t send Redirect Messages for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done # Drop Spoofed Packets coming in on an interface, which if replied to, # would result in the reply going out a different interface. for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Log packets with impossible addresses. for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done ############################################################### # Remove any existing rules from all chains $IPT --flush $IPT -t nat --flush $IPT -t mangle --flush $IPT -X $IPT -t nat -X $IPT -t mangle -X $IPT --policy INPUT ACCEPT $IPT --policy OUTPUT ACCEPT $IPT --policy FORWARD ACCEPT $IPT -t nat --policy PREROUTING ACCEPT $IPT -t nat --policy OUTPUT ACCEPT $IPT -t nat --policy POSTROUTING ACCEPT $IPT -t mangle --policy PREROUTING ACCEPT $IPT -t mangle --policy OUTPUT ACCEPT if [ "$1" = "stop" ] then echo "Firewall completely stopped! WARNING: THIS HOST HAS NO FIREWALL RUNNING." exit 0 fi # Unlimited traffic on the loopback interface $IPT -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT $IPT -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT # Set the default policy to drop $IPT --policy INPUT ACCEPT $IPT --policy OUTPUT ACCEPT $IPT --policy FORWARD ACCEPT ############################################################### # Stealth Scans and TCP State Flags # All of the bits are cleared $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP $IPT -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP # SYN and FIN are both set $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPT -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # SYN and RST are both set $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # FIN and RST are both set $IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP $IPT -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP # FIN is the only bit set, without the expected accompanying ACK $IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP $IPT -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP # PSH is the only bit set, without the expected accompanying ACK $IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP $IPT -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP # URG is the only bit set, without the expected accompanying ACK $IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP $IPT -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP ############################################################### # Using Connection State to By-pass Rule Checking # Using the state module alone, INVALID will break protocols that use # bidirectional connections or multiple connections or exchanges, # unless an ALG is provided for the protocol. At this time, FTP is the # only protocol with ALG support. $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -m state --state INVALID -j LOG \ --log-prefix "INVALID input: " $IPT -A INPUT -m state --state INVALID -j DROP $IPT -A OUTPUT -m state --state INVALID -j LOG \ --log-prefix "INVALID output: " $IPT -A OUTPUT -m state --state INVALID -j DROP $IPT -A FORWARD -m state --state INVALID -j LOG \ --log-prefix "INVALID forward: " $IPT -A FORWARD -m state --state INVALID -j DROP ############################################################### # Source Address Spoofing and Other Bad Addresses # Refuse spoofed packets pretending to be from you $IPT -A INPUT -s $DMZ_IPADDR -j DROP $IPT -A INPUT -s $LAN_IPADDR -j DROP $IPT -A FORWARD -s $DMZ_IPADDR -j DROP $IPT -A FORWARD -s $LAN_IPADDR -j DROP $IPT -A INPUT -i $DMZ_INTERFACE \ -s $LAN_ADDRESSES -j DROP $IPT -A FORWARD -i $DMZ_INTERFACE \ -s $LAN_ADDRESSES -j DROP $IPT -A FORWARD -i $LAN_INTERFACE \ -s ! $LAN_ADDRESSES -j DROP $IPT -A OUTPUT -o $DMZ_INTERFACE -s ! $DMZ_IPADDR -j DROP $IPT -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IPADDR -j DROP if [ "$DHCP_SERVER" = "1" ]; then $IPT -A OUTPUT -o $LAN_INTERFACE -p udp \ -s $BROADCAST_SRC --sport 67 \ -d $BROADCAST_DEST --dport 68 -j ACCEPT fi $IPT -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IPADDR -j DROP # Refuse malformed broadcast packets $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE \ -d $BROADCAST_SRC -j DROP $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE \ -d $BROADCAST_SRC -j DROP # Don.t forward directed broadcasts $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE \ -d $DMZ_NETWORK -j DROP $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE \ -d $DMZ_BROADCAST -j DROP # Don.t forward limited broadcasts in either direction $IPT -A FORWARD -d $BROADCAST_DEST -j DROP $IPT -A INPUT -p ! udp -d $CLASS_D_MULTICAST -j DROP $IPT -A FORWARD -p ! udp -d $CLASS_D_MULTICAST -j DROP ############################################################### # ICMP Control and Status Messages # Log and drop initial ICMP fragments $IPT -A INPUT --fragment -p icmp -j LOG \ --log-prefix "Fragmented incoming ICMP: " $IPT -A INPUT --fragment -p icmp -j DROP $IPT -A OUTPUT --fragment -p icmp -j LOG \ --log-prefix "Fragmented outgoing ICMP: " $IPT -A OUTPUT --fragment -p icmp -j DROP $IPT -A FORWARD --fragment -p icmp -j LOG \ --log-prefix "Fragmented forwarded ICMP: " $IPT -A FORWARD --fragment -p icmp -j DROP echo "here" $IPT -A INPUT -p icmp \ --icmp-type source-quench -d $DMZ_IPADDR -j ACCEPT echo "here2" $IPT -A OUTPUT -p icmp \ --icmp-type source-quench -j ACCEPT $IPT -A FORWARD -p icmp \ --icmp-type source-quench -j ACCEPT $IPT -A INPUT -p icmp \ --icmp-type parameter-problem -j ACCEPT $IPT -A OUTPUT -p icmp \ --icmp-type parameter-problem -j ACCEPT $IPT -A FORWARD -p icmp \ --icmp-type parameter-problem -j ACCEPT $IPT -A INPUT -p icmp \ --icmp-type destination-unreachable -j ACCEPT $IPT -A OUTPUT -o $LAN_INTERFACE -p icmp \ --icmp-type destination-unreachable -d $LAN_ADDRESSES -j ACCEPT $IPT -A FORWARD -o $LAN_INTERFACE -p icmp \ --icmp-type destination-unreachable -d $LAN_ADDRESSES -j ACCEPT $IPT -A OUTPUT -p icmp \ --icmp-type fragmentation-needed -j ACCEPT $IPT -A FORWARD -p icmp \ --icmp-type fragmentation-needed -j ACCEPT # Don.t log dropped outgoing ICMP error messages $IPT -A OUTPUT -p icmp \ --icmp-type destination-unreachable -j DROP $IPT -A FORWARD -o $DMZ_INTERFACE -p icmp \ --icmp-type destination-unreachable -j DROP # Intermediate traceroute responses $IPT -A INPUT -p icmp \ --icmp-type time-exceeded -j ACCEPT $IPT -A FORWARD -o $LAN_INTERFACE -p icmp \ --icmp-type time-exceeded -d $LAN_ADDRESSES -j ACCEPT # allow outgoing pings to anywhere if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A OUTPUT -p icmp \ --icmp-type echo-request \ -m state --state NEW -j ACCEPT $IPT -A FORWARD -o $DMZ_INTERFACE -p icmp \ --icmp-type echo-request -s $LAN_ADDRESSES \ -m state --state NEW -j ACCEPT fi # allow incoming pings from trusted hosts if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A INPUT -i $DMZ_INTERFACE -p icmp \ -s $GATEWAY_IPADDR --icmp-type echo-request -d $DMZ_IPADDR \ -m state --state NEW -j ACCEPT $IPT -A INPUT -i $LAN_INTERFACE -p icmp \ -s $LAN_ADDRESSES --icmp-type echo-request -d $LAN_IPADDR \ -m state --state NEW -j ACCEPT fi echo "here3" ############################################################### # DNS Name Server # DNS LAN clients to private server (53) $IPT -A INPUT -i $LAN_INTERFACE -p udp \ -s $LAN_ADDRESSES --sport $UNPRIVPORTS \ -d $LAN_IPADDR --dport 53 \ -m state --state NEW -j ACCEPT $IPT -A INPUT -i $LAN_INTERFACE -p tcp \ -s $LAN_ADDRESSES --sport $UNPRIVPORTS \ -d $LAN_IPADDR --dport 53 \ -m state --state NEW -j ACCEPT $IPT -A INPUT -i $DMZ_INTERFACE -p udp \ -s $DMZ_ADDRESSES --sport $UNPRIVPORTS \ -d $DMZ_IPADDR --dport 53 \ -m state --state NEW -j ACCEPT # DNS caching & forwarding name server (53) $IPT -A OUTPUT -o $DMZ_INTERFACE -p udp \ -s $DMZ_IPADDR --sport 53 \ -d $NAMESERVER --dport 53 \ -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $DMZ_INTERFACE -p udp \ -s $DMZ_IPADDR --sport $UNPRIVPORTS \ -d $NAMESERVER --dport 53 \ -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \ -s $DMZ_IPADDR --sport $UNPRIVPORTS \ -d $NAMESERVER --dport 53 \ -m state --state NEW -j ACCEPT ############################################################### # Filtering the AUTH User Identification Service (TCP Port 113) $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 113 \ -m state --state NEW -j ACCEPT $IPT -A FORWARD -i $DMZ_INTERFACE -o $LAN_INTERFACE -p tcp \ --sport $UNPRIVPORTS -d $LAN_ADDRESSES --dport 113 \ -m state --state NEW -j ACCEPT $IPT -A INPUT -i $LAN_INTERFACE -p tcp \ -s $LAN_ADDRESSES --sport $UNPRIVPORTS -d $LAN_IPADDR --dport 113 \ -m state --state NEW -j ACCEPT $IPT -A INPUT -i $DMZ_INTERFACE -p tcp \ -s $DMZ_ADDRESSES --sport $UNPRIVPORTS -d $DMZ_IPADDR --dport 113 \ -m state --state NEW -j ACCEPT ############################################################### # Sending Mail to the Mail Gateway Server (TCP Port 25) $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES --sport $UNPRIVPORTS \ -d $MAIL_SERVER --dport 25 \ -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \ -s $DMZ_IPADDR --sport $UNPRIVPORTS \ -d $MAIL_SERVER --dport 25 \ -m state --state NEW -j ACCEPT ############################################################### # Retrieving Mail as a POP Client (TCP Port 110) $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES --sport $UNPRIVPORTS \ -d $POP_SERVER --dport 110 \ -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \ -s $DMZ_IPADDR --sport $UNPRIVPORTS \ -d $POP_SERVER --dport 110 \ -m state --state NEW -j ACCEPT ############################################################### # Accessing Usenet News Services (TCP NNTP Port 119) $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES --sport $UNPRIVPORTS \ -d $NEWS_SERVER --dport 119 \ -m state --state NEW -j ACCEPT ############################################################### # ssh (TCP Port 22) $IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \ -s $DMZ_IPADDR --sport $UNPRIVPORTS \ -d $DMZ_ADDRESSES --dport 22 \ -m state --state NEW -j ACCEPT $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 22 \ -m state --state NEW -j ACCEPT $IPT -A FORWARD -i $DMZ_INTERFACE -o $LAN_INTERFACE -p tcp \ -s $SSH_CLIENT --sport $UNPRIVPORTS \ -d $SSH_CLIENT --dport 22 \ -m state --state NEW -j ACCEPT ############################################################### # ftp (TCP Ports 21, 20) # Outgoing Local Client Requests to Remote Servers $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 21 \ -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \ -s $DMZ_IPADDR --sport $UNPRIVPORTS --dport 21 \ -m state --state NEW -j ACCEPT ############################################################### # HTTP Web Traffic (TCP Port 80) $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 80 \ -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \ -s $DMZ_IPADDR --sport $UNPRIVPORTS --dport 80 \ -m state --state NEW -j ACCEPT ############################################################### # SSL Web Traffic (TCP Port 443) $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 443 \ -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \ -s $DMZ_IPADDR --sport $UNPRIVPORTS --dport 443 \ -m state --state NEW -j ACCEPT ############################################################### # whois (TCP Port 43) $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \ -s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 43 \ -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $DMZ_INTERFACE -p tcp \ -s $DMZ_IPADDR --sport $UNPRIVPORTS --dport 43 \ -m state --state NEW -j ACCEPT ############################################################### # Networked Printer (TCP Port 515) $IPT -A OUTPUT -o $LAN_INTERFACE -p tcp \ -s $LAN_IPADDR --sport $PRIVPORTS \ -d $PRINTER_ADDRESS --dport 515 \ -m state --state NEW -j ACCEPT $IPT -A FORWARD -i $DMZ_INTERFACE -o $LAN_INTERFACE -p tcp \ -s $DMZ_ADDRESSES --sport $UNPRIVPORTS \ -d $PRINTER_ADDRESS --dport 515 \ -m state --state NEW -j ACCEPT ############################################################### # Accessing Network Time Server (UDP 123) # Note: Some client and servers use source port 123 # when querying a remote server on destination port 123. $IPT -A OUTPUT -o $DMZ_INTERFACE -p udp \ -s $DMZ_IPADDR --sport $UNPRIVPORTS \ -d $GATEWAY_IPADDR --dport 123 \ -m state --state NEW -j ACCEPT $IPT -A INPUT -i $LAN_INTERFACE -p udp \ -s $LAN_ADDRESSES --sport $UNPRIVPORTS \ -d $LAN_IPADDR --dport 123 \ -m state --state NEW -j ACCEPT $IPT -A INPUT -i $LAN_INTERFACE -p udp \ -s $LAN_ADDRESSES --sport 123 \ -d $LAN_IPADDR --dport 123 \ -m state --state NEW -j ACCEPT ############################################################### # Accessing a Local DHCP Server (UDP Ports 67, 68) $IPT -A INPUT -i $LAN_INTERFACE -p udp \ -s $BROADCAST_SRC --sport 68 \ -d $BROADCAST_DEST --dport 67 -j ACCEPT $IPT -A OUTPUT -o $LAN_INTERFACE -p udp \ -s $BROADCAST_SRC --sport 67 \ -d $BROADCAST_DEST --dport 68 -j ACCEPT $IPT -A OUTPUT -o $LAN_INTERFACE -p udp \ -s $LAN_IPADDR --sport 67 \ -d $BROADCAST_DEST --dport 68 -j ACCEPT $IPT -A INPUT -i $LAN_INTERFACE -p udp \ -s $BROADCAST_SRC --sport 68 \ -d $LAN_IPADDR --dport 67 -j ACCEPT $IPT -A OUTPUT -o $LAN_INTERFACE -p udp \ -s $LAN_IPADDR --sport 67 \ -d $LAN_ADDRESSES --dport 68 -j ACCEPT $IPT -A OUTPUT -o $LAN_INTERFACE -p udp \ -s $LAN_IPADDR --sport 67 \ -d $LAN_ADDRESSES --dport 68 -j ACCEPT $IPT -A INPUT -i $LAN_INTERFACE -p udp \ -s $LAN_ADDRESSES --sport 68 \ -d $LAN_IPADDR --dport 67 -j ACCEPT $IPT -A OUTPUT -o $LAN_INTERFACE -j LOG ############################################################### # Logging Dropped Packets $IPT -A INPUT -i $LAN_INTERFACE -j LOG $IPT -A OUTPUT -o $LAN_INTERFACE -j LOG $IPT -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -j LOG $IPT -A FORWARD -i $DMZ_INTERFACE -o $LAN_INTERFACE -j LOG exit 0